diff --git a/core/init/migration/helper/script.go b/core/init/migration/helper/script.go index 2d89e6aef..82b8b4c85 100644 --- a/core/init/migration/helper/script.go +++ b/core/init/migration/helper/script.go @@ -40,197 +40,344 @@ func LoadScript() { func loadInstallFirewall() string { return `#!/bin/bash -# 检测操作系统类型 -if [ -f /etc/os-release ]; then - . /etc/os-release - OS=$ID - OS_LIKE=$(echo $ID_LIKE | awk '{print $1}') # 获取类似的发行版信息 -else - echo "无法检测操作系统类型" - exit 1 -fi +# 防火墙 安装配置脚本 +# 支持 Ubuntu/Debian/CentOS/RHEL/Alpine/Arch Linux + +set -e + +# 颜色定义 +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[0;33m' +NC='\033[0m' # No Color + +FIREWALL="" + + +# 检测操作系统 +detect_os() { + if [ -f /etc/os-release ]; then + . /etc/os-release + OS=$ID + VERSION=$VERSION_ID + elif type lsb_release >/dev/null 2>&1; then + OS=$(lsb_release -si | tr '[:upper:]' '[:lower:]') + VERSION=$(lsb_release -sr) + elif [ -f /etc/redhat-release ]; then + OS="rhel" + VERSION=$(grep -oE '[0-9]+\.[0-9]+' /etc/redhat-release) + elif [ -f /etc/alpine-release ]; then + OS="alpine" + VERSION=$(cat /etc/alpine-release) + else + OS=$(uname -s | tr '[:upper:]' '[:lower:]') + VERSION=$(uname -r) + fi +} # 安装防火墙 -FIREWALL="" -if [ "$OS" == "ubuntu" ] || [ "$OS" == "debian" ]; then - echo "检测到 Debian/Ubuntu 系统,正在安装 ufw..." - FIREWALL="ufw" - apt-get update - apt-get install -y ufw -elif [ "$OS" == "centos" ] || [ "$OS" == "rhel" ] || [ "$OS_LIKE" == "rhel" ]; then - echo "检测到 Red Hat/CentOS 系统,正在安装 firewall..." - FIREWALL="firewalld" - yum update - yum install -y firewalld -else - echo "不支持的操作系统: $OS" - exit 1 -fi +install_firewall() { + if [ "$OS" == "ubuntu" ] || [ "$OS" == "debian" ]; then + echo -e "${GREEN}检测到操作系统: $OS $VERSION,正在安装 ufw...${NC}" + FIREWALL="ufw" + apt-get update + apt-get install -y ufw + elif [ "$OS" == "centos" ] || [ "$OS" == "rhel" ] || [ "$OS_LIKE" == "rhel" ]; then + echo -e "${GREEN}检测到操作系统: $OS $VERSION,正在安装 firewall...${NC}" + FIREWALL="firewalld" + yum update + yum install -y firewalld + else + echo -e "${RED}不支持的操作系统${NC}" + exit 1 + fi +} -read -p "请输入需要放行的端口(多个端口用空格分隔,如 80 443 22): " PORTS +# 初始化并启动 +start_with_init() { + read -p "请输入需要放行的端口(多个端口用空格分隔,如 80 443 22): " PORTS -# 验证端口输入 -if [ -z "$PORTS" ]; then - echo "错误:未输入任何端口" - exit 1 -fi + # 验证端口输入 + if [ -z "$PORTS" ]; then + echo -e "${RED}错误:未输入任何端口${NC}" + exit 1 + fi -case $FIREWALL in - firewalld) - echo "配置firewalld..." - systemctl start firewalld - systemctl enable firewalld - - for port in $PORTS; do - firewall-cmd --zone=public --permanent --add-port="$port/tcp" - done - - firewall-cmd --reload - echo "已放行以下TCP端口: $PORTS" - ;; - - ufw) - echo "配置ufw..." - ufw --force enable - - for port in $PORTS; do - ufw allow "$port/tcp" - done - - echo "已放行以下TCP端口: $PORTS" - ;; -esac + case $FIREWALL in + firewalld) + echo -e "${GREEN}配置firewalld...${NC}" + echo "初始化并启动firewalld..." + systemctl start firewalld + systemctl enable firewalld + + for port in $PORTS; do + firewall-cmd --zone=public --permanent --add-port="$port/tcp" + done + + firewall-cmd --reload + echo -e "${GREEN}已放行以下TCP端口: $PORTS ${NC}" + ;; + + ufw) + echo -e "${GREEN}初始化并启动ufw...${NC}" + ufw --force enable + + for port in $PORTS; do + ufw allow "$port/tcp" + done + + echo -e "${GREEN}已放行以下TCP端口: $PORTS ${NC}" + ;; + esac +} # 检查防火墙是否正常运行 -if [ "$FIREWALL" = "firewalld" ]; then - if firewall-cmd --state &> /dev/null; then - echo "firewalld 安装完成并正常运行!" - else - echo "firewalld 安装或配置出现问题,请检查日志" - exit 1 +check_install() { + if [ "$FIREWALL" = "firewalld" ]; then + if command -v firewall-cmd &> /dev/null; then + systemctl status firewalld || true + fi + else + if command -v ufw &> /dev/null; then + ufw status || true + fi fi -else - if ufw status | grep -q "Status: active"; then - echo "ufw 安装完成并正常运行!" - else - echo "ufw 安装或配置出现问题,请检查日志" - exit 1 - fi -fi -exit 0` + echo -e "${GREEN}$FIREWALL 安装完成并启动${NC}" +} + +# 主函数 +main() { + detect_os + install_firewall + start_with_init + check_install +} + +main "$@"` } func loadInstallFTP() string { return `#!/bin/bash -# 检测操作系统类型 -if [ -f /etc/os-release ]; then - . /etc/os-release - OS=$ID - OS_LIKE=$(echo $ID_LIKE | awk '{print $1}') # 获取类似的发行版信息 -else - echo "无法检测操作系统类型" - exit 1 -fi +# Pure-FTPd 安装配置脚本 +# 支持 Ubuntu/Debian/CentOS/RHEL/Alpine/Arch Linux -# 安装 Pure-FTPd -if [ "$OS" == "ubuntu" ] || [ "$OS" == "debian" ]; then - echo "检测到 Debian/Ubuntu 系统,正在安装 Pure-FTPd..." - apt-get update - apt-get install -y pure-ftpd -elif [ "$OS" == "centos" ] || [ "$OS" == "rhel" ] || [ "$OS_LIKE" == "rhel" ]; then - echo "检测到 Red Hat/CentOS 系统,正在安装 Pure-FTPd..." - yum install -y epel-release - yum install -y pure-ftpd -else - echo "不支持的操作系统: $OS" - exit 1 -fi +set -e -# 配置 Pure-FTPd -echo "配置 Pure-FTPd..." -PURE_FTPD_CONF="/etc/pure-ftpd/pure-ftpd.conf" -if [ -f "$PURE_FTPD_CONF" ]; then - cp "$PURE_FTPD_CONF" "$PURE_FTPD_CONF.bak" - sed -i 's/^NoAnonymous[[:space:]]\+no$/NoAnonymous yes/' "$PURE_FTPD_CONF" - sed -i 's/^PAMAuthentication[[:space:]]\+yes$/PAMAuthentication no/' "$PURE_FTPD_CONF" - sed -i 's/^# PassivePortRange[[:space:]]\+30000 50000$/PassivePortRange 39000 40000/' "$PURE_FTPD_CONF" - sed -i 's/^VerboseLog[[:space:]]\+no$/VerboseLog yes/' "$PURE_FTPD_CONF" - sed -i 's/^# PureDB[[:space:]]\+\/etc\/pure-ftpd\/pureftpd\.pdb[[:space:]]*$/PureDB \/etc\/pure-ftpd\/pureftpd.pdb/' "$PURE_FTPD_CONF" -else - echo '/etc/pure-ftpd/pureftpd.pdb' > /etc/pure-ftpd/conf/PureDB - echo yes > /etc/pure-ftpd/conf/VerboseLog - echo yes > /etc/pure-ftpd/conf/NoAnonymous - echo '39000 40000' > /etc/pure-ftpd/conf/PassivePortRange - echo 'no' > /etc/pure-ftpd/conf/PAMAuthentication - echo 'no' > /etc/pure-ftpd/conf/UnixAuthentication - echo 'clf:/var/log/pure-ftpd/transfer.log' > /etc/pure-ftpd/conf/AltLog - ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50puredb -fi +# 颜色定义 +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[0;33m' +NC='\033[0m' # No Color -# 设置开机自启动并启动服务 -if command -v systemctl &> /dev/null; then - echo "设置 Pure-FTPd 开机自启动..." - systemctl enable pure-ftpd - echo "启动 Pure-FTPd 服务..." - systemctl start pure-ftpd +# 检测操作系统 +detect_os() { + if [ -f /etc/os-release ]; then + . /etc/os-release + OS=$ID + VERSION=$VERSION_ID + elif type lsb_release >/dev/null 2>&1; then + OS=$(lsb_release -si | tr '[:upper:]' '[:lower:]') + VERSION=$(lsb_release -sr) + elif [ -f /etc/redhat-release ]; then + OS="rhel" + VERSION=$(grep -oE '[0-9]+\.[0-9]+' /etc/redhat-release) + elif [ -f /etc/alpine-release ]; then + OS="alpine" + VERSION=$(cat /etc/alpine-release) + else + OS=$(uname -s | tr '[:upper:]' '[:lower:]') + VERSION=$(uname -r) + fi +} - if systemctl is-active --quiet pure-ftpd; then - echo "Pure-FTPd 已成功安装并启动" - else - echo "Pure-FTPd 启动失败,请检查日志" - exit 1 - fi -else - echo "systemctl 不可用,请手动启动 Pure-FTPd" - exit 1 -fi +# 安装Pure-FTPd +install_pureftpd() { + echo -e "${GREEN}检测到操作系统: $OS $VERSION${NC}" -exit 0` + case "$OS" in + ubuntu|debian) + apt-get update + apt-get install -y pure-ftpd + ;; + centos|rhel|fedora) + if [ "$OS" = "rhel" ] && [ "${VERSION%%.*}" -ge 8 ]; then + dnf install -y epel-release + dnf install -y pure-ftpd + else + yum install -y epel-release + yum install -y pure-ftpd + fi + ;; + alpine) + apk add --no-cache pure-ftpd + ;; + arch) + pacman -Sy --noconfirm pure-ftpd + ;; + *) + echo -e "${RED}不支持的操作系统${NC}" + exit 1 + ;; + esac + + if ! command -v pure-ftpd &> /dev/null; then + echo -e "${RED}Pure-FTPd安装失败${NC}" + exit 1 + fi +} + +# 配置Pure-FTPd +configure_pureftpd() { + echo -e "${GREEN}配置Pure-FTPd...${NC}" + + PURE_FTPD_CONF="/etc/pure-ftpd/pure-ftpd.conf" + if [ -f "$PURE_FTPD_CONF" ]; then + cp "$PURE_FTPD_CONF" "$PURE_FTPD_CONF.bak" + sed -i 's/^NoAnonymous[[:space:]]\+no$/NoAnonymous yes/' "$PURE_FTPD_CONF" + sed -i 's/^PAMAuthentication[[:space:]]\+yes$/PAMAuthentication no/' "$PURE_FTPD_CONF" + sed -i 's/^# PassivePortRange[[:space:]]\+30000 50000$/PassivePortRange 39000 40000/' "$PURE_FTPD_CONF" + sed -i 's/^VerboseLog[[:space:]]\+no$/VerboseLog yes/' "$PURE_FTPD_CONF" + sed -i 's/^# PureDB[[:space:]]\+\/etc\/pure-ftpd\/pureftpd\.pdb[[:space:]]*$/PureDB \/etc\/pure-ftpd\/pureftpd.pdb/' "$PURE_FTPD_CONF" + else + touch /etc/pure-ftpd/pureftpd.pdb + chmod 644 /etc/pure-ftpd/pureftpd.pdb + echo '/etc/pure-ftpd/pureftpd.pdb' > /etc/pure-ftpd/conf/PureDB + echo yes > /etc/pure-ftpd/conf/VerboseLog + echo yes > /etc/pure-ftpd/conf/NoAnonymous + echo '39000 40000' > /etc/pure-ftpd/conf/PassivePortRange + echo 'no' > /etc/pure-ftpd/conf/PAMAuthentication + echo 'no' > /etc/pure-ftpd/conf/UnixAuthentication + echo 'clf:/var/log/pure-ftpd/transfer.log' > /etc/pure-ftpd/conf/AltLog + ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50puredb + fi +} + +# 启动服务 +start_service() { + echo -e "${GREEN}启动Pure-FTPd服务...${NC}" + + case "$OS" in + ubuntu|debian) + systemctl enable pure-ftpd + systemctl restart pure-ftpd + ;; + centos|rhel|fedora) + systemctl enable pure-ftpd + systemctl restart pure-ftpd + ;; + alpine) + rc-update add pure-ftpd + rc-service pure-ftpd start + ;; + arch) + systemctl enable pure-ftpd + systemctl restart pure-ftpd + ;; + *) + echo -e "${YELLOW}无法自动启动服务,请手动启动${NC}" + ;; + esac + + # 验证服务状态 + if command -v systemctl &> /dev/null; then + systemctl status pure-ftpd || true + else + rc-service pure-ftpd status || true + fi +} + + + +# 主函数 +main() { + detect_os + install_pureftpd + configure_pureftpd + start_service +} + +main "$@"` } func loadInstallClamAV() string { return `#!/bin/bash -# 检测操作系统类型 -if [ -f /etc/os-release ]; then - . /etc/os-release - OS=$ID - OS_VER=$VERSION_ID -elif type lsb_release >/dev/null 2>&1; then - OS=$(lsb_release -si | tr '[:upper:]' '[:lower:]') - OS_VER=$(lsb_release -sr) -else - echo "无法识别操作系统" - exit 1 -fi +# ClamAV 安装启动脚本 +# 支持 Ubuntu/Debian/CentOS/RHEL/Alpine/Arch Linux + +set -e + +# 颜色定义 +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[0;33m' +NC='\033[0m' # No Color + +# 检测操作系统 +detect_os() { + if [ -f /etc/os-release ]; then + . /etc/os-release + OS=$ID + VERSION=$VERSION_ID + elif type lsb_release >/dev/null 2>&1; then + OS=$(lsb_release -si | tr '[:upper:]' '[:lower:]') + VERSION=$(lsb_release -sr) + elif [ -f /etc/redhat-release ]; then + OS="rhel" + VERSION=$(grep -oE '[0-9]+\.[0-9]+' /etc/redhat-release) + elif [ -f /etc/alpine-release ]; then + OS="alpine" + VERSION=$(cat /etc/alpine-release) + else + OS=$(uname -s | tr '[:upper:]' '[:lower:]') + VERSION=$(uname -r) + fi +} # 安装ClamAV install_clamav() { - case $OS in + echo -e "${GREEN}检测到操作系统: $OS $VERSION${NC}" + + case "$OS" in ubuntu|debian) apt-get update - apt-get install -y clamav clamav-daemon + apt-get install -y clamav clamav-daemon clamav-freshclam ;; - centos|rhel|rocky|almalinux) - if [[ $OS_VER == 7* ]]; then + centos|rhel|fedora) + if [ "$OS" = "rhel" ] && [ "${VERSION%%.*}" -ge 8 ]; then + dnf install -y epel-release + dnf install -y clamav clamd clamav-update + else yum install -y epel-release yum install -y clamav clamd clamav-update - else - dnf install -y clamav clamd clamav-update fi ;; + alpine) + apk add --no-cache clamav clamav-libunrar clamav-daemon clamav-freshclam + ;; + arch) + pacman -Sy --noconfirm clamav + ;; *) - echo "不支持的OS: $OS" + echo -e "${RED}不支持的操作系统${NC}" exit 1 ;; esac + + if ! command -v clamscan &> /dev/null; then + echo -e "${RED}ClamAV安装失败${NC}" + exit 1 + fi } -# 配置 clamd +# clamd configure_clamd() { + echo -e "${GREEN}配置clamd...${NC}" + + # 备份原始配置 CLAMD_CONF="" if [ -f "/etc/clamd.d/scan.conf" ]; then CLAMD_CONF="/etc/clamd.d/scan.conf" @@ -240,20 +387,20 @@ configure_clamd() { echo "未找到 freshclam 配置文件,请手动配置" exit 1 fi - - echo "配置 clamd $CLAMD_CONF..." - # 备份原始配置文件 cp "$CLAMD_CONF" "$CLAMD_CONF.bak" - # 修改配置文件 + # 禁用检查新版本以避免权限问题 sed -i 's|^LogFileMaxSize .*|LogFileMaxSize 2M|' "$CLAMD_CONF" sed -i 's|^PidFile .*|PidFile /run/clamd.scan/clamd.pid|' "$CLAMD_CONF" sed -i 's|^DatabaseDirectory .*|DatabaseDirectory /var/lib/clamav|' "$CLAMD_CONF" sed -i 's|^LocalSocket .*|LocalSocket /run/clamd.scan/clamd.sock|' "$CLAMD_CONF" } -# 配置 freshclam +# 配置freshclam configure_freshclam() { + echo -e "${GREEN}配置freshclam...${NC}" + + # 备份原始配置 FRESHCLAM_CONF="" if [ -f "/etc/freshclam.conf" ]; then FRESHCLAM_CONF="/etc/freshclam.conf" @@ -263,112 +410,194 @@ configure_freshclam() { echo "未找到 freshclam 配置文件,请手动配置" exit 1 fi - - echo "freshclam.con $FRESHCLAM_CONF..." - # 备份原始配置文件 cp "$FRESHCLAM_CONF" "$FRESHCLAM_CONF.bak" - # 修改配置文件 + # 禁用检查新版本以避免权限问题 sed -i 's|^DatabaseDirectory .*|DatabaseDirectory /var/lib/clamav|' "$FRESHCLAM_CONF" sed -i 's|^PidFile .*|PidFile /var/run/freshclam.pid|' "$FRESHCLAM_CONF" - sed -i 's/DatabaseMirror db.local.clamav.net/DatabaseMirror database.clamav.net/' "$FRESHCLAM_CONF" + sed -i '/^DatabaseMirror/d' "$FRESHCLAM_CONF" + echo "DatabaseMirror database.clamav.net" | sudo tee -a "$FRESHCLAM_CONF" sed -i 's|^Checks .*|Checks 12|' "$FRESHCLAM_CONF" } -# 服务管理 -setup_service() { - case $OS in - ubuntu|debian) - systemctl stop clamav-freshclam - systemctl start clamav-daemon - systemctl enable clamav-daemon - systemctl start clamav-freshclam - systemctl enable clamav-freshclam - ;; - centos|rhel|rocky|almalinux) - if [[ $OS_VER == 7* ]]; then - systemctl stop freshclam - systemctl start clamd@scan - systemctl enable clamd@scan - systemctl start freshclam - systemctl enable freshclam - else - systemctl stop clamav-freshclam - systemctl start clamd@scan - systemctl enable clamd@scan - systemctl start clamav-freshclam - systemctl enable clamav-freshclam - fi - ;; - esac +# 下载病毒数据库 +download_database() { + systemctl stop clamav-freshclam + echo -e "${GREEN}开始下载病毒数据库...${NC}" + + MAX_RETRIES=5 + RETRY_DELAY=60 + ATTEMPT=1 + + while [ $ATTEMPT -le $MAX_RETRIES ]; do + echo -e "${YELLOW}尝试 $ATTEMPT/$MAX_RETRIES: 运行freshclam...${NC}" + + if freshclam --verbose; then + echo -e "${GREEN}成功下载病毒数据库${NC}" + return 0 + fi + + if [ $ATTEMPT -lt $MAX_RETRIES ]; then + echo -e "${YELLOW}下载失败,等待 $RETRY_DELAY 秒后重试...${NC}" + sleep $RETRY_DELAY + fi + + ATTEMPT=$((ATTEMPT+1)) + done + + echo -e "${RED}错误: 无法在 $MAX_RETRIES 次尝试后下载病毒数据库${NC}" >&2 + exit 1 } -# 主执行流程 -echo "正在安装 ClamAV..." -install_clamav +# 启动ClamAV服务 +start_services() { + echo -e "${GREEN}启动ClamAV服务...${NC}" + + case "$OS" in + ubuntu|debian) + systemctl enable --now clamav-daemon + systemctl enable --now clamav-freshclam + ;; + centos|rhel|fedora) + systemctl enable --now clamd@scan + systemctl enable --now clamav-freshclam + ;; + alpine) + rc-update add clamd boot + rc-update add freshclam boot + rc-service clamd start + rc-service freshclam start + ;; + arch) + systemctl enable --now clamav-daemon + systemctl enable --now clamav-freshclam + ;; + *) + echo -e "${YELLOW}无法自动启动服务,请手动启动${NC}" + ;; + esac + + # 验证服务状态 + if command -v systemctl &> /dev/null; then + systemctl status clamav-daemon || true + systemctl status clamav-freshclam || true + fi + + echo -e "${GREEN}ClamAV安装完成并启动${NC}" +} -echo -e "配置 clamd..." -configure_clamd +# 主函数 +main() { + detect_os + install_clamav + configure_clamd + configure_freshclam + download_database + start_services +} -echo -e "配置 freshclam..." -configure_freshclam - -echo -e "设置服务..." -setup_service - -echo -e "安装完成!" - -echo 0` +main "$@"` } func loadInstallFail2ban() string { return `#!/bin/bash -# 检测操作系统类型 -if [ -f /etc/os-release ]; then - . /etc/os-release - OS=$ID - OS_LIKE=$(echo $ID_LIKE | awk '{print $1}') # 获取类似的发行版信息 -else - echo "无法检测操作系统类型" - exit 1 -fi +# Fail2ban 安装配置脚本 +# 支持 Ubuntu/Debian/CentOS/RHEL/Alpine/Arch Linux -# 安装 fail2ban -if [ "$OS" == "ubuntu" ] || [ "$OS" == "debian" ]; then - echo "检测到 Debian/Ubuntu 系统,正在安装 fail2ban..." - apt-get update - apt-get install -y fail2ban -elif [ "$OS" == "centos" ] || [ "$OS" == "rhel" ] || [ "$OS_LIKE" == "rhel" ]; then - echo "检测到 Red Hat/CentOS 系统,正在安装 fail2ban..." - yum install -y epel-release - yum install -y fail2ban -else - echo "不支持的操作系统: $OS" - exit 1 -fi +set -e -# 配置 fail2ban -echo "配置 fail2ban..." -FAIL2BAN_CONF="/etc/fail2ban/jail.local" -LOG_FILE="" -BAN_ACTION="" +# 颜色定义 +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[0;33m' +NC='\033[0m' # No Color -if systemctl is-active --quiet firewalld 2>/dev/null; then - BAN_ACTION="firewallcmd-ipset" -elif systemctl is-active --quiet ufw 2>/dev/null || service ufw status 2>/dev/null | grep -q "active"; then - BAN_ACTION="ufw" -else - BAN_ACTION="iptables-allports" -fi -if [ -f /var/log/secure ]; then - LOG_FILE="/var/log/secure" -else - LOG_FILE="/var/log/auth.log" -fi +# 检测操作系统 +detect_os() { + if [ -f /etc/os-release ]; then + . /etc/os-release + OS=$ID + VERSION=$VERSION_ID + elif type lsb_release >/dev/null 2>&1; then + OS=$(lsb_release -si | tr '[:upper:]' '[:lower:]') + VERSION=$(lsb_release -sr) + elif [ -f /etc/redhat-release ]; then + OS="rhel" + VERSION=$(grep -oE '[0-9]+\.[0-9]+' /etc/redhat-release) + elif [ -f /etc/alpine-release ]; then + OS="alpine" + VERSION=$(cat /etc/alpine-release) + else + OS=$(uname -s | tr '[:upper:]' '[:lower:]') + VERSION=$(uname -r) + fi +} -cat < "$FAIL2BAN_CONF" +# 安装Fail2ban +install_fail2ban() { + echo -e "${GREEN}检测到操作系统: $OS $VERSION${NC}" + + case "$OS" in + ubuntu|debian) + apt-get update + apt-get install -y fail2ban + ;; + centos|rhel|fedora) + if [ "$OS" = "rhel" ] && [ "${VERSION%%.*}" -ge 8 ]; then + dnf install -y epel-release + dnf install -y fail2ban + else + yum install -y epel-release + yum install -y fail2ban + fi + ;; + alpine) + apk add --no-cache fail2ban + ;; + arch) + pacman -Sy --noconfirm fail2ban + ;; + *) + echo -e "${RED}不支持的操作系统${NC}" + exit 1 + ;; + esac + + sleep 2 + if command -v systemctl &> /dev/null; then + systemctl status fail2ban --no-pager || true + else + rc-service fail2ban status || true + fi + + fail2ban-client status +} + +# 配置Fail2ban +configure_fail2ban() { + echo -e "${GREEN}配置Fail2ban...${NC}" + + FAIL2BAN_CONF="/etc/fail2ban/jail.local" + LOG_FILE="" + BAN_ACTION="" + + if systemctl is-active --quiet firewalld 2>/dev/null; then + BAN_ACTION="firewallcmd-ipset" + elif systemctl is-active --quiet ufw 2>/dev/null || service ufw status 2>/dev/null | grep -q "active"; then + BAN_ACTION="ufw" + else + BAN_ACTION="iptables-allports" + fi + + if [ -f /var/log/secure ]; then + LOG_FILE="/var/log/secure" + else + LOG_FILE="/var/log/auth.log" + fi + + cat < "$FAIL2BAN_CONF" #DEFAULT-START [DEFAULT] bantime = 600 @@ -390,95 +619,163 @@ banaction = $BAN_ACTION action = %(action_mwl)s logpath = $LOG_FILE EOF +} -# 设置开机自启动并启动服务 -if command -v systemctl &> /dev/null; then - echo "设置 fail2ban 开机自启动..." - systemctl enable fail2ban +# 启动服务 +start_service() { + echo -e "${GREEN}启动Fail2ban服务...${NC}" + + case "$OS" in + ubuntu|debian) + systemctl enable fail2ban + systemctl restart fail2ban + ;; + centos|rhel|fedora) + systemctl enable fail2ban + systemctl restart fail2ban + ;; + alpine) + rc-update add fail2ban + rc-service fail2ban start + ;; + arch) + systemctl enable fail2ban + systemctl restart fail2ban + ;; + *) + echo -e "${YELLOW}无法自动启动服务,请手动启动${NC}" + ;; + esac - echo "启动 fail2ban 服务..." - systemctl start fail2ban + # 验证服务状态 + if command -v systemctl &> /dev/null; then + systemctl status fail2ban || true + else + rc-service fail2ban status || true + fi +} - if systemctl is-active --quiet fail2ban; then - echo "fail2ban 已成功安装并启动" - else - echo "fail2ban 启动失败,请检查日志" - exit 1 - fi -else - echo "systemctl 不可用,请手动启动 fail2ban" - exit 1 -fi -# 检查 fail2ban 是否正常运行 -if fail2ban-client status &> /dev/null; then - echo "fail2ban 安装完成并正常运行!" -else - echo "fail2ban 安装或配置出现问题,请检查日志" - exit 1 -fi -exit 0` +# 主函数 +main() { + detect_os + install_fail2ban + configure_fail2ban + start_service +} + +main "$@"` } func loadInstallSupervisor() string { return `#!/bin/bash -# 检测操作系统类型 -if [ -f /etc/os-release ]; then - . /etc/os-release - OS=$ID - OS_LIKE=$(echo $ID_LIKE | awk '{print $1}') # 获取类似的发行版信息 -else - echo "无法检测操作系统类型" - exit 1 -fi +# Supervisor 安装管理脚本 +# 功能:自动安装 + 基础配置 + 进程管理模板 +# 支持 Ubuntu/Debian/CentOS/RHEL/Alpine/Arch Linux -# 安装 Supervisor -if [ "$OS" == "ubuntu" ] || [ "$OS" == "debian" ]; then - echo "检测到 Debian/Ubuntu 系统,正在安装 Supervisor..." - apt-get update - apt-get install -y supervisor -elif [ "$OS" == "centos" ] || [ "$OS" == "rhel" ] || [ "$OS_LIKE" == "rhel" ]; then - echo "检测到 Red Hat/CentOS 系统,正在安装 Supervisor..." - yum install -y epel-release - yum install -y supervisor -else - echo "不支持的操作系统: $OS" - exit 1 -fi +set -e -# 创建日志目录 -echo "创建日志目录..." -mkdir -p /var/log/supervisor -chmod -R 755 /var/log/supervisor +# 颜色定义 +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[0;33m' +NC='\033[0m' # No Color -# 设置开机自启动并启动服务 -if command -v systemctl &> /dev/null; then - echo "设置 Supervisor 开机自启动..." - systemctl enable supervisord - - echo "启动 Supervisor 服务..." - systemctl start supervisord - - if systemctl is-active --quiet supervisord; then - echo "Supervisor 已成功安装并启动" - else - echo "Supervisor 启动失败,请检查日志" - exit 1 - fi -else - echo "systemctl 不可用,请手动启动 Supervisor" - exit 1 -fi - -# 检查 Supervisor 是否正常运行 -if supervisorctl status &> /dev/null; then - echo "Supervisor 安装完成并正常运行!" -else - echo "Supervisor 安装或配置出现问题,请检查日志" - exit 1 -fi - -exit 0` +# 检测操作系统 +detect_os() { + if [ -f /etc/os-release ]; then + . /etc/os-release + OS=$ID + VERSION=$VERSION_ID + elif type lsb_release >/dev/null 2>&1; then + OS=$(lsb_release -si | tr '[:upper:]' '[:lower:]') + VERSION=$(lsb_release -sr) + elif [ -f /etc/redhat-release ]; then + OS="rhel" + VERSION=$(grep -oE '[0-9]+\.[0-9]+' /etc/redhat-release) + elif [ -f /etc/alpine-release ]; then + OS="alpine" + VERSION=$(cat /etc/alpine-release) + else + OS=$(uname -s | tr '[:upper:]' '[:lower:]') + VERSION=$(uname -r) + fi +} + +# 安装Supervisor +install_supervisor() { + echo -e "${GREEN}检测到操作系统: $OS $VERSION${NC}" + + case "$OS" in + ubuntu|debian) + apt-get update + apt-get install -y supervisor + ;; + centos|rhel|fedora) + if [ "$OS" = "rhel" ] && [ "${VERSION%%.*}" -ge 8 ]; then + dnf install -y supervisor + else + yum install -y supervisor + fi + ;; + alpine) + apk add --no-cache supervisor + mkdir -p /etc/supervisor.d + ;; + arch) + pacman -Sy --noconfirm supervisor + ;; + *) + echo -e "${RED}不支持的操作系统,尝试pip安装...${NC}" + if ! command -v pip &> /dev/null; then + python -m ensurepip --upgrade + fi + pip install supervisor + ;; + esac +} + +# 启动服务 +start_service() { + echo -e "${GREEN}启动Supervisor服务...${NC}" + + case "$OS" in + ubuntu|debian) + systemctl enable supervisor + systemctl restart supervisor + ;; + centos|rhel|fedora) + systemctl enable supervisor + systemctl restart supervisor + ;; + alpine) + rc-update add supervisor + rc-service supervisor start + ;; + arch) + systemctl enable supervisor + systemctl restart supervisor + ;; + *) + echo -e "${YELLOW}无法自动启动服务,请手动启动${NC}" + ;; + esac + + # 验证服务状态 + if ! command -v supervisord &> /dev/null; then + echo -e "${RED}Supervisor安装失败${NC}" + exit 1 + fi +} + +# 主函数 +main() { + detect_os + install_supervisor + start_service +} + +main "$@"` } diff --git a/core/init/migration/migrations/init.go b/core/init/migration/migrations/init.go index bf21a8407..29381f0dc 100644 --- a/core/init/migration/migrations/init.go +++ b/core/init/migration/migrations/init.go @@ -323,7 +323,7 @@ var AddSystemIP = &gormigrate.Migration{ } var InitScriptLibrary = &gormigrate.Migration{ - ID: "20250328-init-script-library", + ID: "20250408-init-script-library", Migrate: func(tx *gorm.DB) error { if err := tx.AutoMigrate(&model.ScriptLibrary{}); err != nil { return err